Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Running as non-default user results in permission error on lock file #264

Closed
jchappell82 opened this issue Feb 16, 2017 · 7 comments · Fixed by #289
Closed

Running as non-default user results in permission error on lock file #264

jchappell82 opened this issue Feb 16, 2017 · 7 comments · Fixed by #289

Comments

@jchappell82
Copy link

I'm attempting to run the latest 9.6 container (have also tried the alpine container with the same result) with a non-default user. The data files are all created correctly by initdb, but the server itself never starts due to permission problems on /var/run/postgresql.

Using the following command to start the container:

sudo docker run --name app-pg -e POSTGRES_PASSWORD=<secret> \
          -e POSTGRES_DB=postgres -e PGDATA=/var/lib/postgresql/data/pgdata \
          --user "$(id -u appuser):$(id -g appuser)" \
          -v /volume1/docker/volumes/app_data/pgdata:/var/lib/postgresql/data/pgdata \
          -v /etc/passwd:/etc/passwd:ro -d\
          postgres:9.6

The following output is generated:

The files belonging to this database system will be owned by user "appuser".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.utf8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/postgresql/data/pgdata ... ok
creating subdirectories ... ok
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting dynamic shared memory implementation ... posix
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok

Success. You can now start the database server using:

    pg_ctl -D /var/lib/postgresql/data/pgdata -l logfile start


WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.
waiting for server to start....FATAL:  could not create lock file "/var/run/postgresql/.s.PGSQL.5432.lock": Permission denied
LOG:  database system is shut down
 stopped waiting
pg_ctl: could not start server

It would seem that while the data piece of allowing arbitrary users is working, the section of the Dockerfile at https://github.com/docker-library/postgres/blob/master/9.6/Dockerfile#L57 still requires postgres user or group, which cannot be assumed to exist on the host. Possible solution would be to make the directory world accessible, but I'm admittedly not positive what the security ramifications of doing so would be (though I suspect it's minimal given this is all inside the container)

Or...I could just be doing something wrong. Any suggestions?
@jchappell82
Copy link
Author

As a side note, I did manage to work around this by changing to the following process:

  1. Initialize the container with:
sudo docker run --rm -e POSTGRES_PASSWORD=<secret> \
          -e POSTGRES_DB=postgres -e PGDATA=/var/lib/postgresql/data/pgdata \
          --user "$(id -u appuser):$(id -g appuser)" \
          -v /volume1/docker/volumes/app_data/pgdata:/var/lib/postgresql/data/pgdata \
          -v /etc/passwd:/etc/passwd:ro \
          postgres:9.6
  1. Create actual service container with:
sudo docker run --name app-pg -e POSTGRES_PASSWORD=<secret> \
          -e POSTGRES_DB=postgres -e PGDATA=/var/lib/postgresql/data/pgdata \
          --user "$(id -u appuser):postgres" \
          -v /volume1/docker/volumes/app_data/pgdata:/var/lib/postgresql/data/pgdata \
          -v /etc/passwd:/etc/passwd:ro -d\
          postgres:9.6

such that the process runs as my non-default user and the container's postgres group.

@yosifkit
Copy link
Member

That looks like a bug on our part; we should probably chown 777 /var/run/postgresql rather than the current g+s. Running with the postgres group is a fine workaround; you can also use --group-add postgres so that you can still keep the appuser group.

@quiqueporta
Copy link

I have the same problem running this command with postgres 9.1

docker run -it --rm -e POSTGRES_USER=test -e POSTGRES_PASSWORD=test -p 5432:5432 \
-v /home/quique/dev/data:/var/lib/postgresql/data \
--user "$(id -u):$(id -g)" \
-v /etc/passwd:/etc/passwd:ro postgres:9.1

chown: invalid user: ‘postgres’

@yosifkit
Copy link
Member

yosifkit commented Mar 3, 2017

@quiqueporta, support for running as an arbitrary user (#253) was added after 9.1 was dropped, so it doesn't have that improvement.

See also, the Docker Hub readme (source) for the limitations.

@tianon
Copy link
Member

tianon commented Mar 3, 2017 via email

@zhangsoledad
Copy link

I have the same issue, use --group-add postgres fix it.

@bussyjd
Copy link

bussyjd commented May 19, 2017

I can confirm adding --group-add postgres fixes it. It would be nice to have it in the README.

@tianon tianon mentioned this issue May 19, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adjust "/var/run/postgresql" permissions for arbitrary-user support infosiftr/postgres
6 participants
@bussyjd @tianon @jchappell82 @yosifkit @quiqueporta @zhangsoledad